Highest Voted 'css' Questions - IT Security Stack Exchange

38

votes

1 answer

CSS based attacks

I'm currently working on a plugin for a CMS which should allow content editors to write inline style tags. I'm looking for advice / links on how inline styles could be abused. Part of the reason for the plugin is to allow for a strict content…

antimalware css

asked Jun 21 '13 at 11:10

symcbean

18,278
39
73

27

votes

1 answer

What is meant by "Vulnerable with: css class selector" for JQuery?

I'm mostly a beginner in cybersecurity. I came across this the other day about how JQuery 1.3.2 is vulnerable to CSS Selectors and Location Hash (source). I understand how XSS works and I know what CSS selectors are. But I don't really understand…

xss css jquery

asked Nov 13 '17 at 01:19

Akhil

403
5
10

23

votes

3 answers

How dangerous is it to use CSS styles from an untrusted source?

I'm a moderator at a forum. We want to have a new style for the forum. We're thinking about announcing a competition to the users to come up with the best CSS design; we would adopt the best submission. How dangerous would this be? How dangerous is…

attack-prevention css

asked Nov 18 '12 at 21:14

HSN

1,188
12
23

22

votes

2 answers

Does this CSS code expose if a message is read, and how long they have been reading it?

This email analytics company offers an 'engagement metric' that shows how much time someone spends looking at an email, whether the email is printed or deleted. They also claim it works in pretty much all email clients, be it web, desktop or…

email privacy html user-tracking css

asked Mar 13 '15 at 12:49

Cleber Goncalves

403
3
7

11

votes

1 answer

Should javascript and css ".map" source maps be included on production servers?

Source maps are a convenient way to work with directly with code that has been obfuscated and/or minified, yet trace errors back to the original "pretty" code. My understanding is that obfuscating and minifying code generally does not do anything…

javascript css

asked Feb 12 '16 at 17:51

Robert

607
5
13

9

votes

2 answers

Personal stylesheets

In reference to this question, I was researching whether or not there would be any security risks in letting users add their own stylesheets. He brings up a scenario in which a dev might use positions to replace the search and password field. If…

xss csrf user-interface css

asked Dec 15 '15 at 05:23

Meghan

191
4

8

votes

3 answers

Can CSS file contain malware?

I know that javascript files can contain malware. However, I am not so sure about CSS files. They only affect how the page is displayed, right? I know that css files can be used for clickjacking but I cannot imagine how they can be used to infect…

web-application web-browser css

asked Oct 01 '14 at 14:47

Pervy Sage

467
2
6
13

7

votes

1 answer

Is it safe to allow CSS filter: url(data:

We have a web service where logged in users can create web page content and write custom CSS for their pages. All the HTML goes through a whitelist parser and doesn't allow any executable content. All the CSS is put through a whitelist parser that…

web-browser url whitelist css

asked Jun 14 '21 at 13:12

Mikko Rantalainen

513
2
11

6

votes

2 answers

XSS - arbitrary file in background-image css property

Is it possible to make an XSS attack if you can inject an arbitrary file (any extension, like: .js, .html etc...) in background-image CSS property? If yes, how to do it?

xss css

asked Jan 19 '18 at 10:50

Bob

63
1
4

5

votes

3 answers

CAPTCHAs: How does simple math in cleartext prove you're human?

I'm intrigued that many sites use seemingly random numbers with a random operator as a security check to validate that you're not a bot. Forgive my ignorance in captcha technology, but what is stopping the bot from pulling the simple math problem…

authentication web-application html captcha css

asked Dec 13 '14 at 09:00

mattshu

53
1
3

5

votes

1 answer

What's the security risk of using a protocol-relative URL in a CSS stylesheet?

I used SonarQube to perform a static code analysis of my project and it detected a security vulnerability in one of my CSS files: For security reasons, protocol-relative URLs should not be used. Noncompliant Code Example @font-face { src:…

web-application vulnerability url css

asked Sep 10 '19 at 11:49

Benoit Esnard

13,942
7
65
65

5

votes

1 answer

Why should class names be whitelisted?

I am using the Accept known good validation strategy to sanitize user input (rich HTML) and are using a 3rd party component to do this. The component by default requires every permitted class name to explicitly listed, but also has a checkbox to…

web-application html whitelist css

asked Oct 12 '17 at 04:57

Free Radical

734
5
14

5

votes

1 answer

Browser exploits based purely on HTML + CSS

In 2011, Eli Fox-Epstein demonstrated a Rule 110 machine in HTML + CSS3. This led some to say that the combination of HTML + CSS3 is Turing complete. Regardless of whether HTML + CSS3 is technically Turing complete, do any known exploits (in the…

web-browser html html-5 browser-hijacking css

asked May 19 '16 at 14:47

sampablokuper

1,961
1
19
33

4

votes

1 answer

Calling JavaScript functions from within a Style tag XSS

I've identified an XSS in a client's application where they've failed to properly sanitize a variable. The application, however, is written in ASP.NET 2.x and they have request validation turned on. I'm aware of the below string, which will bypass…

web-application xss javascript asp.net css

asked Sep 16 '13 at 21:22

Jingo

151
1
5

4

votes

2 answers

To What Extent does an Attacker Have Access to the Browser History through the CSS Pseudoclass :visited Styles?

I have read this article on how a scripted web page is able to obtain the visited history of a user browsing the page. However, I can't find any clear information in the article describing the extent of who or what can access the user's browser…

javascript html css privacy

asked Sep 02 '13 at 23:02

gate_engineer

Questions tagged [css]